-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ansible-vault 2.4 and 2.5 "New Vault Password" prompt when using edit/view/etc commands after running original encrypt operation #30491
Comments
I can reproduce this with |
Submitted PR #30493 to fix. |
@nrwahl2 Full disclosure, I may not have had an issue with view, I incorrectly extrapolated edit not working, to the rest of them not working. My apologies, next time I will be more careful with my titles and writing out the problem. |
@JohnVonNeumann No problem. It only took a minute or two to see what was and what was not working as expected. Basically |
@nrwahl2 Yeah you got onto it quickly! Good work on that, honestly I'm a little bit annoyed at myself for not figuring it out, I would usually look at the code first and see if I could figure it out. Given me a bit of courage to try and submit my own fixes now though, so thank you for that. |
Sure thing :) hardest part with Ansible (and presumably other projects) is getting your bearings and figuring out what's where. I still do a lot of "grep -R and hope." Happy future bugfixing.
…-------- Original Message --------
On Sep 18, 2017, 00:45, Louis Willcock wrote:
***@***.***(https://github.com/nrwahl2) Yeah you got onto it quickly! Good work on that, honestly I'm a little bit annoyed at myself for not figuring it out, I would usually look at the code first and see if I could figure it out. Given me a bit of courage to try and submit my own fixes now though, so thank you for that.
—
You are receiving this because you were mentioned.
Reply to this email directly, [view it on GitHub](#30491 (comment)), or [mute the thread](https://github.com/notifications/unsubscribe-auth/AdEzNchFxSNcbvOdJlY7H5AO2u5C_s0eks5sjgN1gaJpZM4PaW79).
|
Some notes at: #30493 (comment) |
so goal for 'ansible-vault edit existing_encrypted_file.yml' is to be prompted for a single password instead of being prompted for a new password? Since the file will be encrypted with whatever password is entered at the prompt, current code treats that like a new file (to avoid re-encrypting the file with the typo). I'm leaning towards the 2.4 behavior being correct (prompt for new) and the 2.3 behavior being wrong (no confirm on entered password). I guess it depends if not matching the 2.3 behavior exactly is considered a bug. |
Hmm, interesting. That seems busted UXD wise. (I can see why the current code does that, but that doesnt seem like the right thing...) |
I think I have a way to use the 2.3 UI and auto_prompt, pr soon |
2.3 behaviour is correct if and only if edit is used with an existing encrypted file. There can be no typo in the password in that case because the file will not decrypt if there is a typo in the password. For creating a new file with ansible-vault edit, the two password prompt makes sense. |
doesn't work in 2.0/2.1/2.2/2.3/2.4 (shows some variant of 'file not found' error) |
(#30491 (comment) confirms that single password prompt of 'edit' (ala 2.3) makes sense) |
YES, but the same behavior occurs with A lot of this hinges upon whether we want or expect
That is what |
* Don't ask for password confirm on 'ansible-vault edit' This is to match the 2.3 behavior on: ansible-vault edit encrypted_file.yml Previously, the above command would consider that a 'new password' scenario and prompt accordingly, ie: $ ansible-vault edit encrypted_file.yml New Password: Confirm New Password: The bug was cause by 'create_new_password' being used for 'edit' action. This also causes the previous implicit 'auto prompt' to get triggered and prompt the user. Fix is to make auto prompt explicit in the calling code to handle the 'edit' case where we want to auto prompt but we do not want to request a password confirm. Fixes #30491
This is to match the 2.3 behavior on: ansible-vault edit encrypted_file.yml Previously, the above command would consider that a 'new password' scenario and prompt accordingly, ie: $ ansible-vault edit encrypted_file.yml New Password: Confirm New Password: The bug was cause by 'create_new_password' being used for 'edit' action. This also causes the previous implicit 'auto prompt' to get triggered and prompt the user. Fix is to make auto prompt explicit in the calling code to handle the 'edit' case where we want to auto prompt but we do not want to request a password confirm. Fixes #30491 (cherry picked from commit 307be59)
* Don't ask for password confirm on 'ansible-vault edit' This is to match the 2.3 behavior on: ansible-vault edit encrypted_file.yml Previously, the above command would consider that a 'new password' scenario and prompt accordingly, ie: $ ansible-vault edit encrypted_file.yml New Password: Confirm New Password: The bug was cause by 'create_new_password' being used for 'edit' action. This also causes the previous implicit 'auto prompt' to get triggered and prompt the user. Fix is to make auto prompt explicit in the calling code to handle the 'edit' case where we want to auto prompt but we do not want to request a password confirm. Fixes ansible#30491
* Don't ask for password confirm on 'ansible-vault edit' This is to match the 2.3 behavior on: ansible-vault edit encrypted_file.yml Previously, the above command would consider that a 'new password' scenario and prompt accordingly, ie: $ ansible-vault edit encrypted_file.yml New Password: Confirm New Password: The bug was cause by 'create_new_password' being used for 'edit' action. This also causes the previous implicit 'auto prompt' to get triggered and prompt the user. Fix is to make auto prompt explicit in the calling code to handle the 'edit' case where we want to auto prompt but we do not want to request a password confirm. Fixes ansible#30491
ISSUE TYPE
COMPONENT NAME
ansible-vault
ANSIBLE VERSION
CONFIGURATION
Configuration unchanged, I have run the same manual check across three versions, 2.3, 2.4 and 2.5 with the same config file. It is the default configuration.
OS / ENVIRONMENT
Linux Ubuntu 16.04 Dell XPS 13
I first installed just the devel version (2.5), after finding this bug, I apt-get installed 2.3 and tested it. After this, to duplicate virtualenv situation, I then installed stable-2.4 via pip in a new venv, then finally installed 2.3 in another separate env.
SUMMARY
Files can be encrypted with:
ansible-vault encrypt foobar.yml
But when you use:
ansible-vault edit foorbar.yml
On 2.4 and 2.5, you receive a prompt to set a new password again, even though the file is already encrypted, you can then drag your version back to 2.3, and it wiill return to "normal/expected behaviour".
EDIT: Also, an additional point (this is actually probably important), is that when you are reprompted to create a "new" password for an already encrypted file, if you input the password originally used for encryption on both of the "set a new password prompts", you will be able to access the file, if you try to set a new password however, that will fail.
STEPS TO REPRODUCE
Install from devel, locate yourself in the role directory and create a file you wish to ansible-vault, use
ansible-vault encrypt foobar.yml
on the file, then try and runansible-vault edit foobar.yml
, this should occur on 2.4 and 2.5, I first ran the encrypt via 2.5, and I can successfully edit it using 2.3, but not any version higher than 2.3EXPECTED RESULTS
I expected to be able to get a predictable result from ansible-vault, I expect to be able to encrypt, decrypt, edit and view like I can in 2.3
ACTUAL RESULTS
What
EDIT: Also, an additional point (this is actually probably important), is that when you are reprompted to create a "new" password for an already encrypted file, if you input the password originally used for encryption on both of the "set a new password prompts", you will be able to access the file, if you try to set a new password however, that will fail.
The text was updated successfully, but these errors were encountered: